Japan-Centric APT Campaign Targets Government

The hackers believed to be behind the election-season hacking in the United States may have now set their sights on Japan.

While investigating some of the smaller-name servers that the hacking group, known as APT28 or Sofacy, routinely use to host its infrastructure, security firm Cylance discovered another prolonged campaign that appeared to exclusively target Japanese companies and individuals. The fir tracks this threat group internally as “Snake Wine.”

“The Snake Wine group has proven to be highly adaptable and continued to adopt new tactics in order to establish footholds inside of victim environments,” Cylance researchers said in a blog post. “The exclusive interest in Japanese government, education, and commerce will continue into the future as the group is just starting to build and utilize their existing current attack infrastructure. If the past is an accurate indicator, attacks will continue to escalate in both skill and intensity as the attackers implement new tactics in response to defenders acting on previously released information.”

The campaign began around August of 2016—and to date, all observed attacks have been the result of spear phishing attempts against the victim organizations, in which malicious attachments unpack a back door that functions primarily as a modular platform. The attacker then has the ability to directly download additional modules and execute them in memory from the command and control (C2) server.

Common activities are identifying processor, memory, drive and volume information, executing commands directly from the attacker, enumerating and removing files and folders, and uploading and downloading files. A number of the samples are signed using the leaked code-signing certificate from the Hacking Team breach.

As for attribution, Snake Wine has aspects that link it to the Russian group—but also leaves footprints that trace back to Chinese actors.

“[The] registration style was eerily close to previously registered APT28 domains; however, the malware used in the attacks did not seem to line up at all,” Cylance researchers said. “Cylance believes some of the steps taken by the attacker could possibly be an attempt at a larger disinformation campaign based upon some of the older infrastructure that would link it to a well-known CN-APT group.”

Perhaps the most interesting aspect of the Snake Wine group is the number of techniques used to obscure attribution.

“Signing the malware with a stolen and subsequently publicly leaked code-signing certificate is sloppy even for well-known CN-APT groups,” the researchers said. “Also of particular interest from an attribution obfuscation perspective is direct IP crossover with previous Dynamic DNS domains associated with known CN-APT activity. A direct trail was established over a period of years that would lead competent researchers to finger CN operators as responsible for this new activity as well. Also of particular interest was the use of a domain hosting company that accepts BTC and was previously heavily leveraged by the well-known Russian group APT28.”